ZAFS Group Logo ZAFS Group IT Consulting
Schedule a Call Call (929) 450-4417

HIPAA Compliance Audit & Report

A fast, practical HIPAA compliance assessment tailored for small practices and clinics. You get a clear report, prioritized risks, and actionable remediation steps. We also fix one top-risk item as part of the engagement.

Admin, Physical, Technical Safeguards Risk Register & Remediation Plan Policy & Control Gaps
Fixed Price
$1,800
  • Onsite or remote walkthrough
  • Findings report (PDF)
  • Risk register with priorities
  • We fix 1 top-risk item (included)
Book 30-min Request proposal
Typical turnaround: 7–10 business days after kickoff and access.

Scope

We assess safeguards against HIPAA requirements and common insurer audits.

Administrative
  • Policies & procedures (privacy, security, breach)
  • Risk analysis approach & documentation
  • Workforce training & sanctions
  • BAAs & vendor risk
Technical
  • Access controls, MFA, role-based access
  • Encryption at rest/in transit
  • Audit logs & log retention
  • Patch/backup strategy; endpoint baselines
Physical
  • Facility access & workstation placement
  • Server/IDF security, CCTV coverage
  • Disposal of media & devices
Systems in scope
  • EHR/EMR and data flows
  • Email, file sharing, M365/Google Workspace
  • Network (LAN/WAN/Wi-Fi), VPN, firewalls
  • Remote access & telehealth

Deliverables

Everything you need to brief leadership and satisfy auditors.

Findings Report (PDF)
  • Executive summary & risk posture
  • Gap analysis vs HIPAA safeguards
  • Prioritized risk register (High/Med/Low)
  • Remediation plan with effort/impact
Artifacts
  • Network diagram & data flow overview
  • Sample policy templates (as needed)
  • Audit log & backup checks
Included Remediation

We fix one top-risk item from the report at no extra cost. Examples:

  • Enable MFA & conditional access on M365/Entra
  • Harden firewall VPN (cipher suites, split-tunnel policy)
  • Force email encryption policy for PHI keywords
  • Encrypt laptop storage & enforce screen-lock

Notes: single task, typically up to ~3 hours remote effort; anything larger is scoped separately.

Timeline

Typical, assuming prompt access.

Kickoff (Day 0)

30-min scope review, access list, data request checklist.

Discovery (Days 1–4)

Interviews, config/screenshots review, quick scans, policy sampling.

Report (Days 5–7)

Findings write-up, risk register, remediation plan.

Fix Top Risk (Days 7–10)

We implement one high-impact fix and validate.

What we need

Lightweight access; we keep it simple.

  • Read-only view or guided screenshare of EHR/EMR admin, firewall, M365/Google admin
  • Sample policies (PDF/Word), BAAs list, training log
  • Network diagram (if available) or quick topology walkthrough
  • Two points of contact for questions (clinical + IT)

FAQs

Is this enough for my insurer or auditor?

Yes—clients use our report and risk register to satisfy common payer and security questionnaires. If they require extra artifacts, we’ll map what’s missing.

What does “fix one top-risk item” cover?

A single, discrete change (e.g., enable MFA, enforce encryption policy, harden a VPN). Larger projects (e.g., full email migration) are scoped separately.

Do you write policies?

We provide templates and gap notes. We can customize policies as an add-on if you don’t have them.

Onsite vs remote?

Remote by default; onsite available in the NY area on request.

Disclaimer: HIPAA compliance is a shared responsibility across people, process, and technology. This audit assesses controls and identifies gaps; ultimate compliance depends on your organization’s continued implementation and enforcement.

Ready to get your HIPAA house in order?

Book a quick call or send the contact form—we’ll confirm scope and kickoff.

Schedule 30-min Contact us